The comeback of Mamba – the destructive virus is distributed again

Mamba ransomware is a malicious computer virus that is most known for attacking San Francisco’s Muni in 2016. The virus is also known as HDD Cryptor, and it functions similarly to Petya virus. The malware employs open-source full disk encryption software for Windows OS – DiskCryptor.

After infecting the system, Mamba runs its processes to encrypt files on the victim’s computer. After compromising the system, the virus restarts the computer to display a short message on a blank black screen. The virus says: “You are Hacked! H.D.D. Encrypted, Contact Us for Decryption Key (email address here). Your ID: [victim’s ID].”

Currently known variants of Mamba leave one of the following email addresses for the victims:

w889901665@yandex.com;

mrcrypt2017@yandex.com;

citrix2234@protonmail.com.

The ransomware suggests entering a “key” for data decryption. The key can be obtained only by paying a ransom to cyber criminals. According to several reports, the virus’s authors demand one Bitcoin per infected computer. More details regarding data recovery are revealed to the victim after one writes to one of the provided emails (we do not recommend doing so!).

Remember that cyber criminals aim to extort you, but that doesn’t mean that they are trustworthy enough to fulfill their part of the agreement, meaning that they might decide not to provide you with data recovery key. For this reason, we recommend you to keep your money to yourself and not waste them by playing by criminals’ rules.

You must remove Mamba virus from the system using a professional anti-malware software. You should choose a reliable security product to complete this task. We highly recommend Reimage for Mamba removal.

UPDATE. Mamba ransomware resurfaces in summer 2017

The malicious software was spotted rampaging in Brazil and Saudi Arabia in August 2017. The attacker leverages psexec utility to launch the ransomware on target computers. The ransomware creates a folder for DiskCryptor files on victim’s computer and uses it for data encryption later on.

Before compromising victim’s files, the virus prepares for this task first. Once it drops its components into the freshly created C:\Xampp\http folder, it installs DiskCryptor driver and registers a system service called DefragmentService. Once these tasks are complete, the virus restarts the compromised computer.

Finally, the malware setups a bootloader to MBR and starts the encryption process using the DiskCryptor. Finally, the virus reboots victim’s computer again to display the scary message asking to contact cybercriminals. In this new Mamba 2017 version, these emails are provided to the victim: mrcrypt2017@yandex.com and citrix2234@protonmail.com.

Mamba ransomware is best known for its attack against San Francisco’s Muni railway network. The virus successfully compromised railway’s computers, allowing passengers take rides for free.

The ransomware compromised over 2,112 computers. The cyber extortionists attempted to demand a ransom of 100 Bitcoin in exchange for network recovery, but the railway’s authorities rejected this “offer.”

Distribution of ransom-demanding viruses

Ransomware isn’t a Trojan, but it infects victim’s computer in a similar manner. Developers of ransomware tend to obfuscate the malicious payload in the form of a safe-looking email attachment, usually an archive or a document.

You should never attempt to open files or links you received from strangers. On top of that, stay away from Internet sites that seem untrustworthy to you. It can be hard to identify hazardous content online, especially if you are not a tech-savvy person, but that is why anti-spyware and anti-malware products are for.

They can help you to protect your PC from ransomware attack. Finally, you must create a data backup and update it regularly. This helps to recover encrypted files in case the ransomware successfully enters your computer unnoticed.

Remove Mamba ransomware from the system

We do not recommend you to test your malware removal skills and remove Mamba virus professionally. For that, you should rely on a secure malware removal tools. Ideally, use an up-to-date anti-malware program. If you do not have one yet, consider installing a program recommended by our team.

Remember that unsuccessful Mamba removal attempts can leave your files compromised for good. If you do not want to damage them permanently or if you do not want to cause more computer security-related problems, follow these expert tips on how to eliminate ransomware from an infected computer.

We might promote some affiliate products. An entire disclosure is provided in our Terms and Conditions. By Downloading any recommended Anti-spyware software to uninstall Mamba ransomware you accept our privacy policy and terms and conditions.

What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.

Computer security experts recommend using Reimage to uninstall Mamba ransomware. Reimage scans the entire computer system and checks whether it is infected with spyware/malware or not. If you want to remove computer threats and secure your computer system, you should consider buying the licensed version of Reimage. You can find more details about this program in Reimage review.

Once your computer starts, select Enable Safe Mode with Networking from the list of options in Startup Settings.

Step 2: Remove Mamba

Sign in to your account and launch any Internet browser. Download a legitimate anti-malware software, for instance, Reimage. Make sure you update it to the latest version and then run a full system scan with it to detect and eliminate all malicious components of the ransomware to remove Mamba completely.

If your ransomware does not allow you to access Safe Mode with Networking, please follow the instructions provided below.

Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings.

Step 2: Perform a system restore to recover files and settings

When the Command Prompt window appears, type in cd restore and press Enter.

Then type rstrui.exe and hit Enter..

In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Mamba and then click on the Next button again.

To start system restore, click Yes.

After restoring the computer system to an antecedent date, install and check your computer with Reimage to uncover any remains of Mamba.

Bonus: Restore your files

Using the tutorial provided above you should be able to eliminate Mamba from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.

We want to remind you that paying the ransom doesn't necessarily help to recover corrupted data. You might never get an answer from cyber criminals, especially after paying the amount of money they ask you. If you do not have a data backup, you should try these methods.

There are a couple of methods you can apply to recover data encrypted by Mamba:

phoned computer support specialists
downloaded a security program
removed it using free removal instructions
used an automatic removal tool and removal instructions
contacted support via email
got answer via Ask Us service